25/69 Thursday, January 15, 2026
ServiceNow, a large-scale IT service management platform used by 85% of Fortune 500 companies, has been found to contain what security researchers describe as “the most severe AI-driven vulnerability ever discovered.” The issue stems from ServiceNow’s integration of a new agentic AI system with its legacy Virtual Agent chatbot, which suffers from weak authentication mechanisms. As a result, attackers could potentially gain access to the system simply by knowing a target’s email address and basic domain information, without needing a password or multi-factor authentication (MFA). This is due to the platform relying on a predictable universal credential for certain internal connections.
The danger of this vulnerability lies in the ability for attackers to abuse AI capabilities to escalate their privileges, ultimately achieving full administrative control over the platform. This effectively grants unrestricted access to an organization’s critical infrastructure, including human resources data, customer service systems, and security operations. Even more concerning, ServiceNow is commonly integrated with other enterprise platforms such as Salesforce and Microsoft, enabling attackers to use it as a launch point for lateral movement into connected systems. This significantly increases the risk of a supply chain–level compromise.
ServiceNow has confirmed that a patch was released on October 30, and stated that there is no evidence of active exploitation at this time. However, researchers from AppOmni, who discovered the issue, strongly recommend that organizations using ServiceNow conduct thorough security reviews to ensure their environments are not exposed. They emphasize that organizations deploying AI agents must enforce strict permission controls, avoid granting AI systems unrestricted access to create or modify sensitive data, and implement rigorous AI security assessments before deploying such technologies into production environments.
Source https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow
